similar to: [Samba as AD] ACLs on LDAP attributes?

On 28/06/16 14:07, mathias dufresne wrote: > Hi all, > > We are thinking to hide some attribute contents to almost everyone but > those we decide they can read it. It is possible with real LDAP servers as > OpenLDAP but is it with LDAP server shipped with Samba 4 working as AD? > > About accessing the whole tree I believe that Samba as AD refuses any > unauthenticated

Hi all, System is Centos 7 and Samba is 4.2.1 sernet version. The database contains 120k users and 150k computers. It's size is 3.3GB on DC01 where the imports were performed and 2.8GB on the second DC. I was trying to index uid attribute and I have a strange behaviour. According to https://msdn.microsoft.com/en-us/library/ms679765%28v=vs.85%29.aspx it is the "searchFlags"

Thank you Rowland for that reply, even if answer to Q2 is not a list of deplicated attributes but the schema which contains all attributes. To answer you: I'm trying to understand. I'm currently working for one company to help them design an AD hosted by Samba. I won't be there to manage it and they already have peoples working with LDAP trees, these coming with their own habits. I

How please? Before posting I tried by myself but I did not succeed I did asked: ldbsearch -H $sam ou=utilisateurs securityDescriptor # record 1 dn: OU=Utilisateurs,DC=ad,DC=domain # Referral .... 2016-09-07 12:06 GMT+02:00 Rowland Penny via samba <samba at lists.samba.org>: > On Wed, 7 Sep 2016 11:57:25 +0200 > mathias dufresne via samba <samba at lists.samba.org> wrote:

Hi all, I just add into my AD a user with different values for attributes "CN" and "name". Here is an extract of the LDIF used to add this user: ------------------------------------------------------------------------------------ dc202:~# egrep 'cn:|name:' mathias.ldif cn: Mathias Dufresne (CN) *name: mathias.dufresne*

Thank you both precisions : ) My users have no "@" in their names (samAccountName nor userPrincipalName nor anything) except in mail attribute). >From https://msdn.microsoft.com/en-us/library/ms679635%28v=vs.85%29.aspx which I read before initial post I understand AD can have this limitation of 20 chars if and only if you decide to support (so) old clients (that we should stop

PS: I could share information about what should be modified to modify the very same GPO, I didn't yet as I'm not sure anyone there would be interested and because that would work only for that kind of GPO. 2016-07-06 17:08 GMT+02:00 mathias dufresne <infractory at gmail.com>: > Context: several teams have to manage only a a bunch of the company's > computers, so these

Thank you Rowland for these info. So no more issue with 4.2.3 and auto-replication : ) Cheers 2015-09-03 11:52 GMT+02:00 Rowland Penny <rowlandpenny241155 at gmail.com>: > On 03/09/15 09:59, mathias dufresne wrote: > >> Hi Mourik, >> >> whenChanged was replicated in my test once I did replicate in both way, so >> it seems to me it is supposed to be

Thank you again Rowland for precision : ) In userPrincipalName there is a "@". It is forged with cn at ad.domain.tld and cn is forged with firstname.sn, as samAccountName, which often is longer than 20 chars. I'll change that... Thank you again all, have a nice day! mathias 2015-07-01 18:56 GMT+02:00 Rowland Penny <rowlandpenny241155 at gmail.com>: > On 01/07/15 17:44,

Thank you a lot Luca! I was able to change searchFlags using ldbedit command and I can't test right now the ldbmodify tool as samba seems to be indexing it's database (one thread eating 100% CPU for several minute, since I launched a ldbsearch on "uid" field). I'll try without my typo error (thank you again :) the ldbmodify command (to stop telling it doesn't work when

Hi Mourik, whenChanged was replicated in my test once I did replicate in both way, so it seems to me it is supposed to be replicated... Then the fact it is not always replicated seems to me an issue. Perhaps a bug report for these two issue (whenChanged not always replicated and ldapcmp hanging once DB is too much filled) would be the right way to proceed... Cheers, mat 2015-09-03 10:42

Hi all, When created through RSAT OUs receive, by default, ACLs to refuse removal. When created through LDIF and ldbadd OUs do not receive these ACLs. Is there a way to create these ACLs using command line tools? Cheers, mathias

Hi all, Playing with delegation today we delegated rights to some user on some OU and its contents for it can modify users inside that OU and children. We used "advanced view" in ADUC then "properties" on our delegated OU, then "security" tab, and finally we gave rights to our user. Perhaps this process is not correct but we believe it is a valid process to delegate

Hi, I´m have a Samba 4 Domain Member that I use like a Proxy Server. I use Squid with NTLM Athentication and work perfecly. My problem is Squidguard with NTLM Authentication. If I use Samba 4.2.X in my Samba 4 Domain Controler I watch in Squid LOG only the user name but If I use Samba 4.1.x or 4.3.0 in my Domain Controler I watch in Squid LOG domain\\user name and Squidguard Authentication not

Hello, Can someone point me to documentation on how to best backup a samba member server? I see the wiki currently does not contain one. Is it as simple as backup all shared folders with rysnc or similar that will preserve ACLS along with the smb.conf? I'm currently relying on a raid solution. Thanks. -- -James

On 19/10/15 16:46, mathias dufresne wrote: > AD from Samba or Microsoft is mainly a database for storing users (and > associated stuffs). It comes also with stuffs (protocols) to connect and > retrieve information. > > How the client uses these information is, as always, a choice from that > specific client. > > Your AD client is your Squid/Squidguard(ian) server. Its job

Hi all, Sernet Samba 4.2.2 as Active Directory on Debian 7.8. No other DC. I can't log in with on Windows systems (Windows 7) when samAccountName are longer than 20 characters. This seems to be a LAN MAN or NT4 limitation which should not happen on AD domain. Any idea what could leads my to that limitation? I can log in using administrator account or any other having a short (enough)

Hi Mathias and all. Am Donnerstag, 24. März 2016, 13:26:12 CEST schrieb mathias dufresne: > Hi, > > I'm glad that helped you : ) > > About SPN, I found that link few days ago: > https://adsecurity.org/?page_id=183 > It tries to list the string values available usable for SPN. > > And it gives also that link: >

Hi, You're quiet right, I'm using a 64 bits system and I was surprised by this file size limitation on such a system. My bad regarding the title : ) Cheers, mathias 2015-06-01 15:03 GMT+02:00 Rowland Penny <rowlandpenny at googlemail.com>: > On 01/06/15 13:47, mathias dufresne wrote: > >> Sorry I don't understand you answer. For me 32 bits platforms are dead on

Hi all, Is there a way to extract the whole attributes of objects, even hidden attributes, using ldbsearch or any samba tool? Hidden attributes have to be hidden from ldapsearch which can be used through network and so, remotely. ldbsearch can be used only locally by root, which [should] limit who is using it, so perhaps I thought it was possible : )